Snarky Spider

Snarky Spider is a financially motivated threat group affiliated with The Com and closely aligned with Scattered Spider. It is also tracked as O-UNC-025 and UNC6661. CrowdStrike reported the group has been active since at least October 2025 and primarily targets U.S.-based organizations across sectors including academic, aviation, retail, hospitality, automotive, financial services, legal, and technology, as well as multiple critical infrastructure sectors. The group conducts rapid data theft and extortion campaigns, often operating almost exclusively within trusted SaaS environments such as Google Workspace, HubSpot, Microsoft SharePoint, and Salesforce to minimize endpoint visibility and accelerate impact. Its intrusion chain relies heavily on voice phishing and social engineering, including impersonation of IT support or help desk personnel via phone calls, as well as text messages and emails, to direct victims to adversary-in-the-middle phishing pages that mimic legitimate single sign-on or identity provider portals. These pages capture credentials, MFA codes, session keys, or tokens, allowing access to the victim identity provider and lateral movement across SSO-integrated SaaS applications. After compromise, Snarky Spider establishes persistence by removing existing MFA devices, registering attacker-controlled devices, and deleting or filtering security notifications through inbox rules. The content specifically states that Snarky Spider almost exclusively enrolls Genymobile Android emulators for connected-device management. The group also scrapes internal employee directories to identify privileged users, targets high-privileged accounts through additional social engineering, searches SaaS platforms for high-value information, and can begin high-volume data exfiltration in under an hour. The group uses living-off-the-land techniques and residential proxy or VPN services to conceal origin and evade IP-based detection; providers named in the content include Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and NSOCKS. Its operations are focused on data theft for extortion, with reported ransom demands often reaching seven figures. The content also states that some victims have faced follow-on harassment including swatting, and some non-paying victims have experienced DDoS attacks. CrowdStrike described Snarky Spider as a native English-speaking crew and as part of a new generation using much of Scattered Spider’s playbook.